The humble SIM card has finally been hacked: Billions of phones at risk of data theft, premium rate scams

Share This article

It took a long time — more than 20 years, to be exact — but the humble SIM card that sits within your phone, and seven billion others, has finally been hacked. Of the seven billion modern SIM cards in circulation, hundreds of millions are estimated to be susceptible. The hacks allow a would-be attacker to infect your SIM with a virus that sends premium text messages, or records your phone calls — and, in some cases, access the secure, sandboxed details stored on your SIM by mobile payment apps, giving a hacker access to your bank and credit card details. Now that a proof of concept has been demonstrated, we wouldn’t be surprised if the billions of other SIMs in circulation are also vulnerable to other attack vectors.

For the longest time, I thought that SIM cards were merely a piece of laminated memory that stored the data that your phone needs to connect to a cellular network (ICCID, Ki, etc.), along with enough space to store a few phone numbers. In actuality, the SIM card in your phone is actually a small computer, with memory, a processor, and even an operating system. As you can see in the diagram below, there is a chip beneath those gold contacts, and on that chip there is a processor, ROM (firmware that stores the OS and SIM apps), EEPROM (which stores your phone book, settings, patches), and RAM (for use by the SIM’s OS and apps). In the photo below of a disassembled SIM card, you can clearly see that this is quite a complex computer chip.

And, unfortunately, like any computer chip that runs an operating system and apps, a SIM card can be hacked. In this case, modern SIM cards run a very simple OS that loads up Java Card — a version of the Java virtual machine for smart cards (of which SIMs are a variety of). Java Card essentially runs small Java applets, and each applet is encapsulated and firewalled (sandboxed) by the Java VM, preventing sensitive data from leaking to other apps. Your phone interacts with these apps via the SIM Application Toolkit (STK) to display information on your screen, and to interact with the outside world. To load apps onto the SIM or to update them, hidden text messages are sent by the carrier, containing over-the-air (OTA) programming in binary form. These messages are signed with a cryptographic key, so that the SIM knows that these messages have originated from a trusted source.

Now, German security researcher Karsten Nohl has discovered a way of finding out that all-important cryptographic key. By sending his own OTA SMSes that aren’t signed with the correct key, he discovered that some phones pop up an error message that contains a cryptographic signature. Then, using rainbow tables (a list of plaintext keys/passwords and their encrypted equivalent), Nohl found he could discover the SIM card’s cryptographic key in about one minute. Once he had this key, he could send apps and viruses to the SIM card that can send premium text messages (racking up huge bills), re-route or record calls, collect location data — you name it, with access to the SIM, you can do just about anything.

Nohl also found a separate bug in Java Card, essentially an out-of-bounds error (asking for the sixth item in a list when the list only contains five items), that can give an app/virus full root access to your SIM card — effectively breaking out of the encapsulation/sandboxing provided by the Java Card VM. With root access, these malicious apps could then obtain any data stored on your SIM, including your address book, or sensitive banking details stored by mobile payment apps. This is an issue, as the only reason that mobile payment apps are being rolled out in the first place is because the SIM card has long been considered a safe haven — but, as luck would have it (really, it’s quite unsurprising), there’s a massive security hole just waiting to be exploited.

An introduction to Java Card apps, by C. Enrique Ortiz

According to Nohl, he estimates that out of 100 mobile phones, he could gain root access to the SIM card on 13 of them. SIM cards that use newer, stronger encryption (Triple DES), don’t appear to be susceptible to these attack vectors, but Nohl says he’ll give more information at his Black Hat talk at the end of July. Verizon and AT&T say they are not vulnerable to the vulnerabilities exposed by Nohl. In essence, mitigation of this attack comes down to the encryption standard used by your SIM card — so if you use a SIM that’s more than a few years old, you should probably get a new one (most carriers will provide a new SIM if you ask nicely). Some carriers, though, simply won’t have upgraded to Triple DES yet — and, as you can imagine, carriers won’t publicly admit that they’re using out-of-date security methods.

Even with the updated cryptographic standard, though, it’s clear that Java Card itself is flawed — and patching it, and distributing those patches, will take a lot more effort than rolling out Triple DES. Even if the holes can be easily fixed, the simple matter of the fact is that computers are intrinsically insecure — and now that a proof of concept with the potential for massive monetary gain has been demonstrated, it’s only a matter of time until more vulnerabilities are found.

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2015 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.